oauth2

package
v1.0.0-beta.5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 7, 2018 License: Apache-2.0 Imports: 31 Imported by: 0

Documentation

Index

Constants

View Source
const (
	OpenIDConnectKeyName = "hydra.openid.id-token"

	DefaultConsentPath = "/oauth2/fallbacks/consent"
	DefaultErrorPath   = "/oauth2/fallbacks/error"
	TokenPath          = "/oauth2/token"
	AuthPath           = "/oauth2/auth"

	UserinfoPath  = "/userinfo"
	WellKnownPath = "/.well-known/openid-configuration"
	JWKPath       = "/.well-known/jwks.json"

	// IntrospectPath points to the OAuth2 introspection endpoint.
	IntrospectPath = "/oauth2/introspect"
	RevocationPath = "/oauth2/revoke"
	FlushPath      = "/oauth2/flush"
)

Variables

This section is empty.

Functions

func AssertObjectKeysEqual added in v0.8.6

func AssertObjectKeysEqual(t *testing.T, a, b interface{}, keys ...string)

func AssertObjectKeysNotEqual added in v0.8.6

func AssertObjectKeysNotEqual(t *testing.T, a, b interface{}, keys ...string)

func RequireObjectKeysEqual added in v0.8.6

func RequireObjectKeysEqual(t *testing.T, a, b interface{}, keys ...string)

func RequireObjectKeysNotEqual added in v0.8.6

func RequireObjectKeysNotEqual(t *testing.T, a, b interface{}, keys ...string)

func TestHelperCreateGetDeleteAccessTokenSession added in v0.9.3

func TestHelperCreateGetDeleteAccessTokenSession(m pkg.FositeStorer) func(t *testing.T)

func TestHelperCreateGetDeleteAuthorizeCodes added in v0.9.3

func TestHelperCreateGetDeleteAuthorizeCodes(m pkg.FositeStorer) func(t *testing.T)

func TestHelperCreateGetDeleteOpenIDConnectSession added in v0.9.4

func TestHelperCreateGetDeleteOpenIDConnectSession(m pkg.FositeStorer) func(t *testing.T)

func TestHelperCreateGetDeletePKCERequestSession added in v0.11.12

func TestHelperCreateGetDeletePKCERequestSession(m pkg.FositeStorer) func(t *testing.T)

func TestHelperCreateGetDeleteRefreshTokenSession added in v0.9.4

func TestHelperCreateGetDeleteRefreshTokenSession(m pkg.FositeStorer) func(t *testing.T)

func TestHelperFlushTokens added in v0.11.10

func TestHelperFlushTokens(m pkg.FositeStorer, lifespan time.Duration) func(t *testing.T)

func TestHelperRevokeRefreshToken added in v0.9.4

func TestHelperRevokeRefreshToken(m pkg.FositeStorer) func(t *testing.T)

Types

type FlushInactiveOAuth2TokensRequest added in v0.11.10

type FlushInactiveOAuth2TokensRequest struct {
	// NotAfter sets after which point tokens should not be flushed. This is useful when you want to keep a history
	// of recently issued tokens for auditing.
	NotAfter time.Time `json:"notAfter"`
}

swagger:model flushInactiveOAuth2TokensRequest

type FositeMemoryStore added in v0.6.0

type FositeMemoryStore struct {
	client.Manager

	AuthorizeCodes      map[string]authorizeCode
	IDSessions          map[string]fosite.Requester
	AccessTokens        map[string]fosite.Requester
	RefreshTokens       map[string]fosite.Requester
	PKCES               map[string]fosite.Requester
	AccessTokenLifespan time.Duration

	sync.RWMutex
}

func NewFositeMemoryStore added in v0.11.10

func NewFositeMemoryStore(m client.Manager, ls time.Duration) *FositeMemoryStore

func (*FositeMemoryStore) CreateAccessTokenSession added in v0.6.0

func (s *FositeMemoryStore) CreateAccessTokenSession(_ context.Context, signature string, req fosite.Requester) error

func (*FositeMemoryStore) CreateAuthorizeCodeSession added in v0.6.0

func (s *FositeMemoryStore) CreateAuthorizeCodeSession(_ context.Context, code string, req fosite.Requester) error

func (*FositeMemoryStore) CreateImplicitAccessTokenSession added in v0.6.0

func (s *FositeMemoryStore) CreateImplicitAccessTokenSession(ctx context.Context, code string, req fosite.Requester) error

func (*FositeMemoryStore) CreateOpenIDConnectSession added in v0.6.0

func (s *FositeMemoryStore) CreateOpenIDConnectSession(_ context.Context, authorizeCode string, requester fosite.Requester) error

func (*FositeMemoryStore) CreatePKCERequestSession added in v0.11.12

func (s *FositeMemoryStore) CreatePKCERequestSession(_ context.Context, code string, req fosite.Requester) error

func (*FositeMemoryStore) CreateRefreshTokenSession added in v0.6.0

func (s *FositeMemoryStore) CreateRefreshTokenSession(_ context.Context, signature string, req fosite.Requester) error

func (*FositeMemoryStore) DeleteAccessTokenSession added in v0.6.0

func (s *FositeMemoryStore) DeleteAccessTokenSession(ctx context.Context, signature string) error

func (*FositeMemoryStore) DeleteOpenIDConnectSession added in v0.6.0

func (s *FositeMemoryStore) DeleteOpenIDConnectSession(_ context.Context, authorizeCode string) error

func (*FositeMemoryStore) DeletePKCERequestSession added in v0.11.12

func (s *FositeMemoryStore) DeletePKCERequestSession(_ context.Context, code string) error

func (*FositeMemoryStore) DeleteRefreshTokenSession added in v0.6.0

func (s *FositeMemoryStore) DeleteRefreshTokenSession(ctx context.Context, signature string) error

func (*FositeMemoryStore) FlushInactiveAccessTokens added in v0.11.10

func (s *FositeMemoryStore) FlushInactiveAccessTokens(ctx context.Context, notAfter time.Time) error

func (*FositeMemoryStore) GetAccessTokenSession added in v0.6.0

func (s *FositeMemoryStore) GetAccessTokenSession(_ context.Context, signature string, _ fosite.Session) (fosite.Requester, error)

func (*FositeMemoryStore) GetAuthorizeCodeSession added in v0.6.0

func (s *FositeMemoryStore) GetAuthorizeCodeSession(_ context.Context, code string, _ fosite.Session) (fosite.Requester, error)

func (*FositeMemoryStore) GetOpenIDConnectSession added in v0.6.0

func (s *FositeMemoryStore) GetOpenIDConnectSession(_ context.Context, authorizeCode string, requester fosite.Requester) (fosite.Requester, error)

func (*FositeMemoryStore) GetPKCERequestSession added in v0.11.12

func (s *FositeMemoryStore) GetPKCERequestSession(_ context.Context, code string, _ fosite.Session) (fosite.Requester, error)

func (*FositeMemoryStore) GetRefreshTokenSession added in v0.6.0

func (s *FositeMemoryStore) GetRefreshTokenSession(_ context.Context, signature string, _ fosite.Session) (fosite.Requester, error)

func (*FositeMemoryStore) InvalidateAuthorizeCodeSession

func (s *FositeMemoryStore) InvalidateAuthorizeCodeSession(ctx context.Context, code string) error

func (*FositeMemoryStore) RevokeAccessToken added in v0.6.0

func (s *FositeMemoryStore) RevokeAccessToken(ctx context.Context, id string) error

func (*FositeMemoryStore) RevokeRefreshToken added in v0.6.0

func (s *FositeMemoryStore) RevokeRefreshToken(ctx context.Context, id string) error

type FositeSQLStore added in v0.6.0

type FositeSQLStore struct {
	client.Manager
	DB                  *sqlx.DB
	L                   logrus.FieldLogger
	AccessTokenLifespan time.Duration
}

func NewFositeSQLStore added in v0.11.10

func NewFositeSQLStore(m client.Manager,
	db *sqlx.DB,
	l logrus.FieldLogger,
	accessTokenLifespan time.Duration,
) *FositeSQLStore

func (*FositeSQLStore) CreateAccessTokenSession added in v0.6.0

func (s *FositeSQLStore) CreateAccessTokenSession(_ context.Context, signature string, requester fosite.Requester) error

func (*FositeSQLStore) CreateAuthorizeCodeSession added in v0.6.0

func (s *FositeSQLStore) CreateAuthorizeCodeSession(_ context.Context, signature string, requester fosite.Requester) error

func (*FositeSQLStore) CreateImplicitAccessTokenSession added in v0.6.0

func (s *FositeSQLStore) CreateImplicitAccessTokenSession(ctx context.Context, signature string, requester fosite.Requester) error

func (*FositeSQLStore) CreateOpenIDConnectSession added in v0.6.0

func (s *FositeSQLStore) CreateOpenIDConnectSession(_ context.Context, signature string, requester fosite.Requester) error

func (*FositeSQLStore) CreatePKCERequestSession added in v0.11.12

func (s *FositeSQLStore) CreatePKCERequestSession(_ context.Context, signature string, requester fosite.Requester) error

func (*FositeSQLStore) CreateRefreshTokenSession added in v0.6.0

func (s *FositeSQLStore) CreateRefreshTokenSession(_ context.Context, signature string, requester fosite.Requester) error

func (*FositeSQLStore) CreateSchemas added in v0.6.0

func (s *FositeSQLStore) CreateSchemas() (int, error)

func (*FositeSQLStore) DeleteAccessTokenSession added in v0.6.0

func (s *FositeSQLStore) DeleteAccessTokenSession(_ context.Context, signature string) error

func (*FositeSQLStore) DeleteOpenIDConnectSession added in v0.6.0

func (s *FositeSQLStore) DeleteOpenIDConnectSession(_ context.Context, signature string) error

func (*FositeSQLStore) DeletePKCERequestSession added in v0.11.12

func (s *FositeSQLStore) DeletePKCERequestSession(_ context.Context, signature string) error

func (*FositeSQLStore) DeleteRefreshTokenSession added in v0.6.0

func (s *FositeSQLStore) DeleteRefreshTokenSession(_ context.Context, signature string) error

func (*FositeSQLStore) FlushInactiveAccessTokens added in v0.11.10

func (s *FositeSQLStore) FlushInactiveAccessTokens(ctx context.Context, notAfter time.Time) error

func (*FositeSQLStore) GetAccessTokenSession added in v0.6.0

func (s *FositeSQLStore) GetAccessTokenSession(_ context.Context, signature string, session fosite.Session) (fosite.Requester, error)

func (*FositeSQLStore) GetAuthorizeCodeSession added in v0.6.0

func (s *FositeSQLStore) GetAuthorizeCodeSession(_ context.Context, signature string, session fosite.Session) (fosite.Requester, error)

func (*FositeSQLStore) GetOpenIDConnectSession added in v0.6.0

func (s *FositeSQLStore) GetOpenIDConnectSession(_ context.Context, signature string, requester fosite.Requester) (fosite.Requester, error)

func (*FositeSQLStore) GetPKCERequestSession added in v0.11.12

func (s *FositeSQLStore) GetPKCERequestSession(_ context.Context, signature string, session fosite.Session) (fosite.Requester, error)

func (*FositeSQLStore) GetRefreshTokenSession added in v0.6.0

func (s *FositeSQLStore) GetRefreshTokenSession(_ context.Context, signature string, session fosite.Session) (fosite.Requester, error)

func (*FositeSQLStore) InvalidateAuthorizeCodeSession

func (s *FositeSQLStore) InvalidateAuthorizeCodeSession(ctx context.Context, signature string) error

func (*FositeSQLStore) RevokeAccessToken added in v0.6.0

func (s *FositeSQLStore) RevokeAccessToken(ctx context.Context, id string) error

func (*FositeSQLStore) RevokeRefreshToken added in v0.6.0

func (s *FositeSQLStore) RevokeRefreshToken(ctx context.Context, id string) error

type Handler

type Handler struct {
	OAuth2  fosite.OAuth2Provider
	Consent consent.Strategy
	Storage pkg.FositeStorer

	H herodot.Writer

	ForcedHTTP bool
	ErrorURL   url.URL

	AccessTokenLifespan time.Duration
	IDTokenLifespan     time.Duration
	CookieStore         sessions.Store

	JWTStrategy *jwk.RS256JWTStrategy

	L logrus.FieldLogger

	ScopeStrategy fosite.ScopeStrategy

	IssuerURL string

	ClaimsSupported  string
	ScopesSupported  string
	UserinfoEndpoint string
}

func (*Handler) AuthHandler

func (h *Handler) AuthHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)

swagger:route GET /oauth2/auth oAuth2 oauthAuth

The OAuth 2.0 authorize endpoint

This endpoint is not documented here because you should never use your own implementation to perform OAuth2 flows. OAuth2 is a very popular protocol and a library for your programming language will exists.

To learn more about this flow please refer to the specification: https://tools.ietf.org/html/rfc6749

Consumes:
- application/x-www-form-urlencoded

Schemes: http, https

Responses:
  302: emptyResponse
  401: genericError
  500: genericError

func (*Handler) DefaultConsentHandler

func (h *Handler) DefaultConsentHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)

func (*Handler) DefaultErrorHandler

func (h *Handler) DefaultErrorHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)

func (*Handler) FlushHandler added in v0.11.10

func (h *Handler) FlushHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)

swagger:route POST /oauth2/flush oAuth2 flushInactiveOAuth2Tokens

Flush Expired OAuth2 Access Tokens

This endpoint flushes expired OAuth2 access tokens from the database. You can set a time after which no tokens will be not be touched, in case you want to keep recent tokens for auditing. Refresh tokens can not be flushed as they are deleted automatically when performing the refresh flow.

Consumes:
- application/json

Schemes: http, https

Responses:
  204: emptyResponse
  401: genericError
  500: genericError

func (*Handler) IntrospectHandler added in v0.6.0

func (h *Handler) IntrospectHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)

swagger:route POST /oauth2/introspect oAuth2 introspectOAuth2Token

Introspect OAuth2 tokens

The introspection endpoint allows to check if a token (both refresh and access) is active or not. An active token is neither expired nor revoked. If a token is active, additional information on the token will be included. You can set additional data for a token by setting `accessTokenExtra` during the consent flow.

Consumes:
- application/x-www-form-urlencoded

Produces:
- application/json

Schemes: http, https

Security:
  basic:
  oauth2:

Responses:
  200: oAuth2TokenIntrospection
  401: genericError
  500: genericError

func (*Handler) RevocationHandler added in v0.6.0

func (h *Handler) RevocationHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)

swagger:route POST /oauth2/revoke oAuth2 revokeOAuth2Token

Revoke OAuth2 tokens

Revoking a token (both access and refresh) means that the tokens will be invalid. A revoked access token can no longer be used to make access requests, and a revoked refresh token can no longer be used to refresh an access token. Revoking a refresh token also invalidates the access token that was created with it.

Consumes:
- application/x-www-form-urlencoded

Schemes: http, https

Security:
  basic:
  oauth2:

Responses:
  200: emptyResponse
  401: genericError
  500: genericError

func (*Handler) SetRoutes

func (h *Handler) SetRoutes(r *httprouter.Router)

func (*Handler) TokenHandler

func (h *Handler) TokenHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)

swagger:route POST /oauth2/token oAuth2 oauthToken

The OAuth 2.0 token endpoint

This endpoint is not documented here because you should never use your own implementation to perform OAuth2 flows. OAuth2 is a very popular protocol and a library for your programming language will exists.

To learn more about this flow please refer to the specification: https://tools.ietf.org/html/rfc6749

Consumes:
- application/x-www-form-urlencoded

Produces:
- application/json

Schemes: http, https

Security:
  basic:
  oauth2:

Responses:
  200: oauthTokenResponse
  401: genericError
  500: genericError

func (*Handler) UserinfoHandler added in v0.10.4

func (h *Handler) UserinfoHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)

swagger:route POST /userinfo oAuth2 userinfo

OpenID Connect Userinfo

This endpoint returns the payload of the ID Token, including the idTokenExtra values, of the provided OAuth 2.0 access token. The endpoint implements http://openid.net/specs/openid-connect-core-1_0.html#UserInfo .

Produces:
- application/json

Schemes: http, https

Security:
  oauth2:

Responses:
  200: userinfoResponse
  401: genericError
  500: genericError

func (*Handler) WellKnownHandler added in v0.8.2

func (h *Handler) WellKnownHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params)

swagger:route GET /.well-known/openid-configuration oAuth2 getWellKnown

Server well known configuration

The well known endpoint an be used to retrieve information for OpenID Connect clients. We encourage you to not roll your own OpenID Connect client but to use an OpenID Connect client library instead. You can learn more on this flow at https://openid.net/specs/openid-connect-discovery-1_0.html

Produces:
- application/json

Schemes: http, https

Responses:
  200: wellKnown
  401: genericError
  500: genericError

type Introspection added in v0.4.0

type Introspection struct {
	// Active is a boolean indicator of whether or not the presented token
	// is currently active.  The specifics of a token's "active" state
	// will vary depending on the implementation of the authorization
	// server and the information it keeps about its tokens, but a "true"
	// value return for the "active" property will generally indicate
	// that a given token has been issued by this authorization server,
	// has not been revoked by the resource owner, and is within its
	// given time window of validity (e.g., after its issuance time and
	// before its expiration time).
	Active bool `json:"active"`

	// Scope is a JSON string containing a space-separated list of
	// scopes associated with this token.
	Scope string `json:"scope,omitempty"`

	// ClientID is aclient identifier for the OAuth 2.0 client that
	// requested this token.
	ClientID string `json:"client_id,omitempty"`

	// Subject of the token, as defined in JWT [RFC7519].
	// Usually a machine-readable identifier of the resource owner who
	// authorized this token.
	Subject string `json:"sub,omitempty"`

	// Expires at is an integer timestamp, measured in the number of seconds
	// since January 1 1970 UTC, indicating when this token will expire.
	ExpiresAt int64 `json:"exp,omitempty"`

	// Issued at is an integer timestamp, measured in the number of seconds
	// since January 1 1970 UTC, indicating when this token was
	// originally issued.
	IssuedAt int64 `json:"iat,omitempty"`

	// NotBefore is an integer timestamp, measured in the number of seconds
	// since January 1 1970 UTC, indicating when this token is not to be
	// used before.
	NotBefore int64 `json:"nbf,omitempty"`

	// Username is a human-readable identifier for the resource owner who
	// authorized this token.
	Username string `json:"username,omitempty"`

	Audience []string `json:"aud,omitempty"`

	// IssuerURL is a string representing the issuer of this token
	Issuer string `json:"iss,omitempty"`

	// TokenType is the introspected token's type, for example `access_token` or `refresh_token`.
	TokenType string `json:"token_type,omitempty"`

	// Extra is arbitrary data set by the session.
	Extra map[string]interface{} `json:"ext,omitempty"`
}

Introspection contains an access token's session data as specified by IETF RFC 7662, see: https://tools.ietf.org/html/rfc7662 swagger:model oAuth2TokenIntrospection

type Session

type Session struct {
	*openid.DefaultSession `json:"idToken"`
	Audience               []string
	Extra                  map[string]interface{} `json:"extra"`
}

func NewSession

func NewSession(subject string) *Session

func (*Session) Clone added in v0.6.3

func (s *Session) Clone() fosite.Session

type WellKnown added in v0.8.2

type WellKnown struct {
	// URL using the https scheme with no query or fragment component that the OP asserts as its IssuerURL Identifier.
	// If IssuerURL discovery is supported , this value MUST be identical to the issuer value returned
	// by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this IssuerURL.
	//
	// required: true
	Issuer string `json:"issuer"`

	// URL of the OP's OAuth 2.0 Authorization Endpoint.
	//
	// required: true
	AuthURL string `json:"authorization_endpoint"`

	// URL of the OP's Dynamic Client Registration Endpoint.
	RegistrationEndpoint string `json:"registration_endpoint"`

	// URL of the OP's OAuth 2.0 Token Endpoint
	//
	// required: true
	TokenURL string `json:"token_endpoint"`

	// URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate
	// signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs
	// to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use)
	// parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.
	// Although some algorithms allow the same key to be used for both signatures and encryption, doing so is
	// NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of
	// keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
	//
	// required: true
	JWKsURI string `json:"jwks_uri"`

	// JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include
	// pairwise and public.
	//
	// required: true
	SubjectTypes []string `json:"subject_types_supported"`

	// JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID
	// Providers MUST support the code, id_token, and the token id_token Response Type values.
	//
	// required: true
	ResponseTypes []string `json:"response_types_supported"`

	// JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply
	// values for. Note that for privacy or other reasons, this might not be an exhaustive list.
	ClaimsSupported []string `json:"claims_supported"`

	// JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports.
	GrantTypesSupported []string `json:"grant_types_supported"`

	// JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports.
	ResponseModesSupported []string `json:"response_modes_supported"`

	// URL of the OP's UserInfo Endpoint.
	UserinfoEndpoint string `json:"userinfo_endpoint"`

	// SON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server MUST
	// support the openid scope value. Servers MAY choose not to advertise some supported scope values even when this parameter is used
	ScopesSupported []string `json:"scopes_supported"`

	// JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are
	// client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0
	TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported"`

	//	JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT].
	UserinfoSigningAlgValuesSupported []string `json:"userinfo_signing_alg_values_supported"`

	// JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token
	// to encode the Claims in a JWT.
	//
	// required: true
	IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported"`

	// 	Boolean value specifying whether the OP supports use of the request parameter, with true indicating support.
	RequestParameterSupported bool `json:"request_parameter_supported"`

	// Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating support.
	RequestURIParameterSupported bool `json:"request_uri_parameter_supported"`

	// Boolean value specifying whether the OP requires any request_uri values used to be pre-registered
	// using the request_uris registration parameter.
	RequireRequestURIRegistration bool `json:"require_request_uri_registration"`

	// Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support.
	ClaimsParameterSupported bool `json:"claims_parameter_supported"`
}

swagger:model wellKnown

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL